March Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > CompTIA > PenTest+ > PT0-002

PT0-002 CompTIA PenTest+ Certification Exam Question and Answers

Question # 4

An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?

A.

OpenVAS

B.

Drozer

C.

Burp Suite

D.

OWASP ZAP

Full Access
Question # 5

Penetration tester who was exclusively authorized to conduct a physical assessment noticed there were no cameras pointed at the dumpster for company. The penetration tester returned at night and collected garbage that contained receipts for recently purchased networking :. The models of equipment purchased are vulnerable to attack. Which of the following is the most likely next step for the penetration?

A.

Alert the target company of the discovered information.

B.

Verify the discovered information is correct with the manufacturer.

C.

Scan the equipment and verify the findings.

D.

Return to the dumpster for more information.

Full Access
Question # 6

During an engagement, a penetration tester was able to upload to a server a PHP file with the following content:

Which of the following commands should the penetration tester run to successfully achieve RCE?

A.

python3 -c "import requests;print (requests.post (url='http://172.16.200.10/uploads/shell.php ', data={'cmd=id'}))"

B.

python3 -c "import requests;print (requests.post(url='http://172.16.200.10/uploads/shell.php ', data=

('cmd':'id') ) .text) "

C.

python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php ', params=

{'cmd':'id'}) )"

D.

python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php ', params=

('cmd':'id'}) .text) "

Full Access
Question # 7

A penetration tester captures SMB network traffic and discovers that users are mistyping the name of a fileshare server. This causes the workstations to send out requests attempting to resolve the fileshare server's name. Which of the following is the best way for a penetration tester to exploit this situation?

A.

Relay the traffic to the real file server and steal documents as they pass through.

B.

Host a malicious file to compromise the workstation.

C.

Reply to the broadcasts with a fake IP address to deny access to the real file server.

D.

Respond to the requests with the tester's IP address and steal authentication credentials.

Full Access
Question # 8

A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:

1;SELECT Username, Password FROM Users;

Which of the following injection attacks is the penetration tester using?

A.

Blind SQL

B.

Boolean SQL

C.

Stacked queries

D.

Error-based

Full Access
Question # 9

A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT?

A.

John the Ripper

B.

Hydra

C.

Mimikatz

D.

Cain and Abel

Full Access
Question # 10

Which of the following is a rules engine for managing public cloud accounts and resources?

A.

Cloud Custodian

B.

Cloud Brute

C.

Pacu

D.

Scout Suite

Full Access
Question # 11

A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal?

A.

Using OpenVAS in default mode

B.

Using Nessus with credentials

C.

Using Nmap as the root user

D.

Using OWASP ZAP

Full Access
Question # 12

During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

A.

Mask

B.

Rainbow

C.

Dictionary

D.

Password spraying

Full Access
Question # 13

An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?

A.

nmap -sA 192.168.0.1/24

B.

nmap -sS 192.168.0.1/24

C.

nmap -oG 192.168.0.1/24

D.

nmap 192.168.0.1/24

Full Access
Question # 14

A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log:

Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets?

A.

Run an application vulnerability scan and then identify the TCP ports used by the application.

B.

Run the application attached to a debugger and then review the application's log.

C.

Disassemble the binary code and then identify the break points.

D.

Start a packet capture with Wireshark and then run the application.

Full Access
Question # 15

A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider’s metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

A.

Cross-site request forgery

B.

Server-side request forgery

C.

Remote file inclusion

D.

Local file inclusion

Full Access
Question # 16

A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following:

Which of the following should the penetration tester do NEXT?

A.

Close the reverse shell the tester is using.

B.

Note this finding for inclusion in the final report.

C.

Investigate the high numbered port connections.

D.

Contact the client immediately.

Full Access
Question # 17

A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee’s birthday, the tester gave the employee an external hard drive as a gift. Which of the following social-engineering attacks was the tester utilizing?

A.

Phishing

B.

Tailgating

C.

Baiting

D.

Shoulder surfing

Full Access
Question # 18

A penetration tester obtained the following results after scanning a web server using the dirb utility:

...

GENERATED WORDS: 4612

---- Scanning URL: http://10.2.10.13/ ----

+ http://10.2.10.13/about (CODE:200|SIZE:1520)

+ http://10.2.10.13/home.html (CODE:200|SIZE:214)

+ http://10.2.10.13/index.html (CODE:200|SIZE:214)

+ http://10.2.10.13/info (CODE:200|SIZE:214)

...

DOWNLOADED: 4612 – FOUND: 4

Which of the following elements is MOST likely to contain useful information for the penetration tester?

A.

index.html

B.

about

C.

info

D.

home.html

Full Access
Question # 19

A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client’s building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.

Which of the following tools or techniques would BEST support additional reconnaissance?

A.

Wardriving

B.

Shodan

C.

Recon-ng

D.

Aircrack-ng

Full Access
Question # 20

Deconfliction is necessary when the penetration test:

A.

determines that proprietary information is being stored in cleartext.

B.

occurs during the monthly vulnerability scanning.

C.

uncovers indicators of prior compromise over the course of the assessment.

D.

proceeds in parallel with a criminal digital forensic investigation.

Full Access
Question # 21

An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems.

Which of the following is the penetration tester trying to accomplish?

A.

Uncover potential criminal activity based on the evidence gathered.

B.

Identify all the vulnerabilities in the environment.

C.

Limit invasiveness based on scope.

D.

Maintain confidentiality of the findings.

Full Access
Question # 22

A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?

A.

Create a one-shot system service to establish a reverse shell.

B.

Obtain /etc/shadow and brute force the root password.

C.

Run the nc -e /bin/sh <...> command.

D.

Move laterally to create a user account on LDAP

Full Access
Question # 23

Given the following output:

User-agent:*

Disallow: /author/

Disallow: /xmlrpc.php

Disallow: /wp-admin

Disallow: /page/

During which of the following activities was this output MOST likely obtained?

A.

Website scraping

B.

Website cloning

C.

Domain enumeration

D.

URL enumeration

Full Access
Question # 24

A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?

A.

Steganography

B.

Metadata removal

C.

Encryption

D.

Encode64

Full Access
Question # 25

A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.)

A.

Remove the logs from the server.

B.

Restore the server backup.

C.

Disable the running services.

D.

Remove any tools or scripts that were installed.

E.

Delete any created credentials.

F.

Reboot the target server.

Full Access
Question # 26

Appending string values onto another string is called:

A.

compilation

B.

connection

C.

concatenation

D.

conjunction

Full Access
Question # 27

A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task?

A.

nmap –f –sV –p80 192.168.1.20

B.

nmap –sS –sL –p80 192.168.1.20

C.

nmap –A –T4 –p80 192.168.1.20

D.

nmap –O –v –p80 192.168.1.20

Full Access
Question # 28

Performing a penetration test against an environment with SCADA devices brings additional safety risk because the:

A.

devices produce more heat and consume more power.

B.

devices are obsolete and are no longer available for replacement.

C.

protocols are more difficult to understand.

D.

devices may cause physical world effects.

Full Access
Question # 29

A company has hired a penetration tester to deploy and set up a rogue access point on the network.

Which of the following is the BEST tool to use to accomplish this goal?

A.

Wireshark

B.

Aircrack-ng

C.

Kismet

D.

Wifite

Full Access
Question # 30

A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings?

A.

Manually check the version number of the VoIP service against the CVE release

B.

Test with proof-of-concept code from an exploit database

C.

Review SIP traffic from an on-path position to look for indicators of compromise

D.

Utilize an nmap –sV scan against the service

Full Access
Question # 31

Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement?

A.

Acceptance by the client and sign-off on the final report

B.

Scheduling of follow-up actions and retesting

C.

Attestation of findings and delivery of the report

D.

Review of the lessons learned during the engagement

Full Access
Question # 32

During the assessment of a client's cloud and on-premises environments, a penetration tester was able to gain ownership of a storage object within the cloud environment using the provided on-premises credentials. Which of the following best describes why the tester was able to gain access?

A.

Federation misconfiguration of the container

B.

Key mismanagement between the environments

C.

laaS failure at the provider

D.

Container listed in the public domain

Full Access
Question # 33

A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.

Which of the following is the BEST action for the penetration tester to take?

A.

Utilize the tunnel as a means of pivoting to other internal devices.

B.

Disregard the IP range, as it is out of scope.

C.

Stop the assessment and inform the emergency contact.

D.

Scan the IP range for additional systems to exploit.

Full Access
Question # 34

A penetration tester was able to gain access successfully to a Windows workstation on a mobile client’s laptop. Which of the following can be used to ensure the tester is able to maintain access to the system?

A.

schtasks /create /sc /ONSTART /tr C:\Temp\WindowsUpdate.exe

B.

wmic startup get caption,command

C.

crontab –l; echo “@reboot sleep 200 && ncat –lvp 4242 –e /bin/bash”) | crontab 2>/dev/null

D.

sudo useradd –ou 0 –g 0 user

Full Access
Question # 35

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client’s new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.

Which of the following is most important for the penetration tester to define FIRST?

A.

Establish the format required by the client.

B.

Establish the threshold of risk to escalate to the client immediately.

C.

Establish the method of potential false positives.

D.

Establish the preferred day of the week for reporting.

Full Access
Question # 36

A penetration tester who is performing a physical assessment of a company’s security practices notices the company does not have any shredders inside the office building. Which of the following techniques would be BEST to use to gain confidential information?

A.

Badge cloning

B.

Dumpster diving

C.

Tailgating

D.

Shoulder surfing

Full Access
Question # 37

Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.)

A.

Buffer overflows

B.

Cross-site scripting

C.

Race-condition attacks

D.

Zero-day attacks

E.

Injection flaws

F.

Ransomware attacks

Full Access
Question # 38

A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse- engineering team prior to approval of the subcontract. Which of the following concerns would BEST support the software company’s request?

A.

The reverse-engineering team may have a history of selling exploits to third parties.

B.

The reverse-engineering team may use closed-source or other non-public information feeds for its analysis.

C.

The reverse-engineering team may not instill safety protocols sufficient for the automobile industry.

D.

The reverse-engineering team will be given access to source code for analysis.

Full Access
Question # 39

The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?

A.

nmap snn exclude 10.1.1.15 10.1.1.0/24 oA target_txt

B.

nmap ×’iR10oX out.xml | grep ×’Nmap×’ | cut d ×’"f5 > live-hosts.txt

C.

nmap ×’PnsV OiL target.txt ×’A target_text_Service

D.

nmap ×’sSPn n iL target.txt ×’A target_txtl

Full Access
Question # 40

Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?

A.

Executive summary of the penetration-testing methods used

B.

Bill of materials including supplies, subcontracts, and costs incurred during assessment

C.

Quantitative impact assessments given a successful software compromise

D.

Code context for instances of unsafe type-casting operations

Full Access
Question # 41

A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision?

A.

The tester had the situational awareness to stop the transfer.

B.

The tester found evidence of prior compromise within the data set.

C.

The tester completed the assigned part of the assessment workflow.

D.

The tester reached the end of the assessment time frame.

Full Access
Question # 42

A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company’s network. Which of the following accounts should the tester use to return the MOST results?

A.

Root user

B.

Local administrator

C.

Service

D.

Network administrator

Full Access
Question # 43

A penetration tester ran an Nmap scan on an Internet-facing network device with the –F option and found a few open ports. To further enumerate, the tester ran another scan using the following command:

nmap –O –A –sS –p- 100.100.100.50

Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan?

A.

A firewall or IPS blocked the scan.

B.

The penetration tester used unsupported flags.

C.

The edge network device was disconnected.

D.

The scan returned ICMP echo replies.

Full Access
Question # 44

A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

A.

Key reinstallation

B.

Deauthentication

C.

Evil twin

D.

Replay

Full Access
Question # 45

A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.

Which of the following Nmap scan syntaxes would BEST accomplish this objective?

A.

nmap -sT -vvv -O 192.168.1.2/24 -PO

B.

nmap -sV 192.168.1.2/24 -PO

C.

nmap -sA -v -O 192.168.1.2/24

D.

nmap -sS -O 192.168.1.2/24 -T1

Full Access
Question # 46

A penetration tester gains access to a system and establishes persistence, and then runs the following commands:

cat /dev/null > temp

touch –r .bash_history temp

mv temp .bash_history

Which of the following actions is the tester MOST likely performing?

A.

Redirecting Bash history to /dev/null

B.

Making a copy of the user's Bash history for further enumeration

C.

Covering tracks by clearing the Bash history

D.

Making decoy files on the system to confuse incident responders

Full Access
Question # 47

Which of the following describe the GREATEST concerns about using third-party open-source libraries in application code? (Choose two.)

A.

The libraries may be vulnerable

B.

The licensing of software is ambiguous

C.

The libraries’ code bases could be read by anyone

D.

The provenance of code is unknown

E.

The libraries may be unsupported

F.

The libraries may break the application

Full Access
Question # 48

You are a penetration tester reviewing a client’s website through a web browser.

INSTRUCTIONS

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Full Access
Question # 49

A penetration tester is reviewing the following SOW prior to engaging with a client:

“Network diagrams, logical and physical asset inventory, and employees’ names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client’s Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.”

Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)

A.

Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection

B.

Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the

engagement

C.

Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client’s senior leadership team

D.

Seeking help with the engagement in underground hacker forums by sharing the client’s public IP address

E.

Using a software-based erase tool to wipe the client’s findings from the penetration tester’s laptop

F.

Retaining the SOW within the penetration tester’s company for future use so the sales team can plan future engagements

Full Access
Question # 50

A penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP. Which of the following steps should the tester take NEXT?

A.

Send deauthentication frames to the stations.

B.

Perform jamming on all 2.4GHz and 5GHz channels.

C.

Set the malicious AP to broadcast within dynamic frequency selection channels.

D.

Modify the malicious AP configuration to not use a pre-shared key.

Full Access
Question # 51

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client’s information?

A.

Follow the established data retention and destruction process

B.

Report any findings to regulatory oversight groups

C.

Publish the findings after the client reviews the report

D.

Encrypt and store any client information for future analysis

Full Access
Question # 52

A penetration tester conducted a vulnerability scan against a client’s critical servers and found the following:

Which of the following would be a recommendation for remediation?

A.

Deploy a user training program

B.

Implement a patch management plan

C.

Utilize the secure software development life cycle

D.

Configure access controls on each of the servers

Full Access
Question # 53

A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.

Which of the following describes the scope of the assessment?

A.

Partially known environment testing

B.

Known environment testing

C.

Unknown environment testing

D.

Physical environment testing

Full Access
Question # 54

A penetration-testing team is conducting a physical penetration test to gain entry to a building. Which of the following is the reason why the penetration testers should carry copies of the engagement documents with them?

A.

As backup in case the original documents are lost

B.

To guide them through the building entrances

C.

To validate the billing information with the client

D.

As proof in case they are discovered

Full Access
Question # 55

Penetration on an assessment for a client organization, a penetration tester notices numerous outdated software package versions were installed ...s-critical servers. Which of the following would best mitigate this issue?

A.

Implementation of patching and change control programs

B.

Revision of client scripts used to perform system updates

C.

Remedial training for the client's systems administrators

D.

Refrainment from patching systems until quality assurance approves

Full Access
Question # 56

A penetration tester discovers passwords in a publicly available data breach during the reconnaissance phase of the penetration test. Which of the following is the best action for the tester to take?

A.

Add thepasswords to an appendix in the penetration test report.

B.

Do nothing. Using passwords from breached data is unethical.

C.

Contactthe client and inform them of the breach.

D.

Use thepasswords in a credential stuffing attack when the external penetration test begins.

Full Access
Question # 57

A penetration tester wrote the following script on a compromised system:

#!/bin/bash

network='10.100.100'

ports='22 23 80 443'

for x in {1 .. 254};

do (nc -zv $network.$x $ports );

done

Which of the following would explain using this script instead of another tool?

A.

The typical tools could not be used against Windows systems.

B.

The configuration required the penetration tester to not utilize additional files.

C.

The Bash script will provide more thorough output.

D.

The penetration tester wanted to persist this script to run on reboot.

Full Access
Question # 58

A penetration tester is performing a vulnerability scan on a large ATM network. One of the organization's requirements is that the scan does not affect legitimate clients' usage of the ATMs. Which of the following should the tester do to best meet the company's vulnerability scan requirements?

A.

Use Nmap's -T2 switch to run a slower scan and with less resources.

B.

Run the scans using multiple machines.

C.

Run the scans only during lunch hours.

D.

Use Nmap's -host-timeout switch to skip unresponsive targets.

Full Access
Question # 59

A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester most likely utilize?

A.

Wireshark

B.

Netcat

C.

Nmap

D.

Ettercap

Full Access
Question # 60

An executive needs to use Wi-Fi to connect to the company's server while traveling. While looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive most likely experiencing?

A.

Data modification

B.

Amplification

C.

Captive portal

D.

Evil twin

Full Access
Question # 61

A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

[ATTEMPT] target 192.168.1.112 - login "root" - pass "abcde"

[ATTEMPT] target 192.168.1.112 - login "root" - pass "edcfg"

[ATTEMPT] target 192.168.1.112 - login "root" - pass "qazsw"

[ATTEMPT] target 192.168.1.112 - login "root" – pass “tyuio”

Which of the following is the penetration tester conducting?

A.

Port scan

B.

Brute force

C.

Credential stuffing

D.

DoS attack

Full Access
Question # 62

A potential reason for communicating with the client point of contact during a penetration test is to provide resolution if a testing component crashes a system or service and leaves them unavailable for both legitimate users and further testing. Which of the following best describes this concept?

A.

Retesting

B.

De-escalation

C.

Remediation

D.

Collision detection

Full Access
Question # 63

Given the following user-supplied data:

www.comptia.com/info.php?id=1 AND 1=1

Which of the following attack techniques is the penetration tester likely implementing?

A.

Boolean-based SQL injection

B.

Time-based SQL injection

C.

Stored cross-site scripting

D.

Reflected cross-site scripting

Full Access
Question # 64

Which of the following documents would be the most helpful in determining who is at fault for a temporary outage that occurred during a penetration test?

A.

Non-disclosure agreement

B.

Business associate agreement

C.

Assessment scope and methodologies

D.

Executive summary

Full Access
Question # 65

A penetration tester observes an application enforcing strict access controls. Which of the following would allow the tester to bypass these controls and successfully access the organization's sensitive files?

A.

Remote file inclusion

B.

Cross-site scripting

C.

SQL injection

D.

Insecure direct object references

Full Access
Question # 66

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?

A.

nmap -sU -p 1-1024 10.0.0.15

B.

nmap -p 22,25, 80, 3389 -T2 10.0.0.15 -Pn

C.

nmap -T5 -p 1-65535 -A 10.0.0.15

D.

nmap -T3 -F 10.0.0.15

Full Access
Question # 67

A penetration tester is looking for a particular type of service and obtains the output below:

I Target is synchronized with 127.127.38.0 (reference clock)

I Alternative Target Interfaces:

I 10.17.4.20

I Private Servers (0)

I Public Servers (0)

I Private Peers (0)

I Public Peers (0)

I Private Clients (2)

I 10.20.8.69 169.254.138.63

I Public Clients (597)

I 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152

I 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118

I 68.56.205.98

I 2001:1400:0:0:0:0:0:1 2001:16d8:ddOO:38:0:0:0:2

I 2002:db5a:bccd:l:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682

I Other Associations (1)

|_ 127.0.0.1 seen 1949869 times, last tx was unicast v2 mode 7

Which of the following commands was executed by the tester?

A.

nmap-sU-pU:517-Pn-n—script=supermicro-ipmi-config

B.

nmap-sU-pU:123-Pn-n—script=ntp-monlist

C.

nmap-sU-pU:161-Pn-n—script«voldemort-info

D.

nmap-sU-pU:37 -Pn -n —script=icap-info

Full Access
Question # 68

During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:

nmap -sX -T4 -p 21-25, 67, 80, 139, 8080 192.168.11.191

The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?

A.

All of the ports in the target range are closed.

B.

Nmap needs more time to scan the ports in the target range.

C.

The ports in the target range cannot be scanned because they are common UDP ports.

D.

All of the ports in the target range are open.

Full Access
Question # 69

A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

A.

Determine active hosts on the network.

B.

Set the TTL of ping packets for stealth.

C.

Fill the ARP table of the networked devices.

D.

Scan the system on the most used ports.

Full Access
Question # 70

Which of the following tools would be the best to use to intercept an HTTP response at an API, change its content, and forward it back to the origin mobile device?

A.

Drozer

B.

Burp Suite

C.

Android SDK Tools

D.

MobSF

Full Access
Question # 71

Which of the following elements of a penetration testing report aims to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network?

A.

Executive summary

B.

Vulnerability severity rating

C.

Recommendations of mitigation

D.

Methodology

Full Access
Question # 72

Given the following Nmap scan command:

[root@kali ~]# nmap 192.168.0 .* -- exclude 192.168.0.101

Which of the following is the total number of servers that Nmap will attempt to scan?

A.

1

B.

101

C.

255

D.

256

Full Access
Question # 73

Which of the following is the most important aspect to consider when calculating the price of a penetration test service for a client?

A.

Operating cost

B.

Required scope of work

C.

Non-disclosure agreement

D.

Client's budget

Full Access
Question # 74

Which of the following should be included in scope documentation?

A.

Service accounts

B.

Tester experience

C.

Disclaimer

D.

Number of tests

Full Access
Question # 75

A penetration tester is performing an assessment for an application that is used by large organizations operating in the heavily regulated financial services industry. The penetration tester observes that the default Admin User account is enabled and appears to be used several times a day by unfamiliar IP addresses. Which of the following is the most appropriate way to remediate this issue?

A.

Increase password complexity.

B.

Implement system hardening.

C.

Restrict simultaneous user log-ins.

D.

Require local network access.

Full Access
Question # 76

A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?

A.

Include the findings in the final report.

B.

Notify the client immediately.

C.

Document which commands can be executed.

D.

Use this feature to further compromise the server.

Full Access
Question # 77

A penetration tester was hired to test Wi-Fi equipment. Which of the following tools should be used to gather information about the wireless network?

A.

Kismet

B.

Burp Suite

C.

BeEF

D.

WHOIS

Full Access
Question # 78

A penetration tester runs the following command:

nmap -p- -A 10.0.1.10

Given the execution of this command, which of the following quantities of ports will Nmap scan?

A.

1,000

B.

1,024

C.

10,000

D.

65,535

Full Access
Question # 79

Which of the following describes a globally accessible knowledge base of adversary tactics and techniques based on real-world observations?

A.

OWASP Top 10

B.

MITRE ATT&CK

C.

Cyber Kill Chain

D.

Well-Architected Framework

Full Access
Question # 80

A penetration tester is preparing a credential stuffing attack against a company's website. Which of the following can be used to passively get the most relevant information?

A.

Shodan

B.

BeEF

C.

HavelBeenPwned

D.

Maltego

Full Access
Question # 81

Which of the following best explains why communication is a vital phase of a penetration test?

A.

To discuss situational awareness

B.

To build rapport with the emergency contact

C.

To explain the data destruction process

D.

To ensure the likelihood of future assessments

Full Access
Question # 82

A client asks a penetration tester to retest its network a week after the scheduled maintenance window. Which of the following is the client attempting to do?

A.

Determine if the tester was proficient.

B.

Test a new non-public-facing server for vulnerabilities.

C.

Determine if the initial report is complete.

D.

Test the efficacy of the remediation effort.

Full Access
Question # 83

During a test of a custom-built web application, a penetration tester identifies several vulnerabilities. Which of the following would be the most interested in the steps to reproduce these vulnerabilities?

A.

Operations staff

B.

Developers

C.

Third-party stakeholders

D.

C-suite executives

Full Access
Question # 84

During a client engagement, a penetration tester runs the following Nmap command and obtains the following output:

nmap -sV -- script ssl-enum-ciphers -p 443 remotehost

| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

| TLS_ECDHE_RSA_WITH_RC4_128_SHA

| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)

TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)

Which of the following should the penetration tester include in the report?

A.

Old, insecure ciphers are in use.

B.

The 3DES algorithm should be deprecated.

C.

2,048-bit symmetric keys are incompatible with MD5.

D.

This server should be upgraded to TLS 1.2.

Full Access
Question # 85

Which of the following would be the most efficient way to write a Python script that interacts with a web application?

A.

Create a class for requests.

B.

Write a function for requests.

C.

Import the requests library.

D.

Use the cURL OS command.

Full Access
Question # 86

Which of the following members of a client organization are most likely authorized to provide a signed authorization letter prior to the start date of a penetration test?

A.

The IT department

B.

The executive management team and legal personnel

C.

Organizational security personnel

D.

The human resources team

Full Access
Question # 87

A penetration tester managed to exploit a vulnerability using the following payload:

IF (1=1) WAIT FOR DELAY '0:0:15'

Which of the following actions would best mitigate this type ol attack?

A.

Encrypting passwords

B.

Parameterizing queries

C.

Encoding output

D.

Sanitizing HTML

Full Access
Question # 88

During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files:

<% String id = request.getParameter("id"); %>

Employee ID: <%= id %>

Which of the following is the best remediation to prevent a vulnerability from being exploited, based on this code?

A.

Parameterized queries

B.

Patch application

C.

Output encoding

Full Access
Question # 89

Which of the following is most important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience?

A.

Executive summary of the penetration-testing methods used

B.

Bill of materials including supplies, subcontracts, and costs incurred during assessment

C.

Quantitative impact assessments given a successful software compromise

D.

Code context for instances of unsafe typecasting operations

Full Access
Question # 90

A penetration tester developed the following script to be used during an engagement:

#!/usr/bin/python

import socket, sys

ports = [21, 22, 23, 25, 80, 139, 443, 445, 3306, 3389]

if len(sys.argv) > 1:

target = socket.gethostbyname (sys. argv [0])

else:

print ("Few arguments.")

print ("Syntax: python {} ". format (sys. argv [0]))

sys.exit ()

try:

for port in ports:

s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

s.settimeout (2)

result = s.connect_ex ((target, port) )

if result == 0:

print ("Port {} is opened". format (port) )

except KeyboardInterrupt:

print ("\nExiting ... ")

sys.exit ()

However, when the penetration tester ran the script, the tester received the following message:

socket.gaierror: [Errno -2] Name or service not known

Which of the following changes should the penetration tester implement to fix the script?

A.

From:

target = socket.gethostbyname (sys. argv [0])

To:

target = socket.gethostbyname (sys.argv[1])

B.

From:

s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

To:

s = socket.socket (socket.AF_INET, socket. SOCK_DGRAM)

C.

From:

import socket, sys

To:

import socket

import sys

D.

From:

result = s.connect_ex ((target, port) )

To:

result = s.connect ( (target, port) )

Full Access
Question # 91

Within a Python script, a line that states print (var) outputs the following:

[{'1' : 'CentOS', '2' : 'Ubuntu'), {'1' : 'Windows 10', '2' : 'Windows Server 2016'}]

Which of the following objects or data structures is var ?

A.

An array

B.

A class

C.

A dictionary

D.

A list

Full Access
Question # 92

Which of the following tools would be the best to use to intercept an HTTP response of an API, change its content, and forward it back to the origin mobile device?

A.

Drozer

B.

Burp Suite

C.

Android SDK Tools

D.

MobSF

Full Access
Question # 93

A penetration tester is conducting an assessment for an e-commerce company and successfully copies the user database to the local machine. After a closer review, the penetration tester identifies several high-profile celebrities who have active user accounts with the online service. Which of the following is the most appropriate next step?

A.

Contact the high-profile celebrities.

B.

Delete the high-profile accounts.

C.

Immediately contact the client.

D.

Record the findings in the penetration test report.

Full Access
Question # 94

In Python socket programming, SOCK_DGRAM type is:

A.

reliable.

B.

matrixed.

C.

connectionless.

D.

slower.

Full Access
Question # 95

A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet. Which of the following is the BEST action for the tester to take?

A.

Check the scoping document to determine if exfiltration is within scope.

B.

Stop the penetration test.

C.

Escalate the issue.

D.

Include the discovery and interaction in the daily report.

Full Access
Question # 96

Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

A.

Wireshark

B.

EAPHammer

C.

Kismet

D.

Aircrack-ng

Full Access
Question # 97

A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.)

A.

Setting up a secret management solution for all items in the source code management system

B.

Implementing role-based access control on the source code management system

C.

Configuring multifactor authentication on the source code management system

D.

Leveraging a solution to scan for other similar instances in the source code management system

E.

Developing a secure software development life cycle process for committing code to the source code management system

F.

Creating a trigger that will prevent developers from including passwords in the source code management system

Full Access
Question # 98

A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability?

A.

Network segmentation

B.

Key rotation

C.

Encrypted passwords

D.

Patch management

Full Access
Question # 99

A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet." Which of the following audiences was this message intended?

A.

Systems administrators

B.

C-suite executives

C.

Data privacy ombudsman

D.

Regulatory officials

Full Access
Question # 100

An organization wants to identify whether a less secure protocol is being utilized on a wireless network. Which of the following types of attacks will achieve this goal?

A.

Protocol negotiation

B.

Packet sniffing

C.

Four-way handshake

D.

Downgrade attack

Full Access
Question # 101

Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products?

A.

Exploit-DB

B.

Metasploit

C.

Shodan

D.

Retina

Full Access
Question # 102

During an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the web log for a target Apache server. Which of the following steps would the penetration tester most likely try NEXT to further exploit the web server? (Choose two.)

A.

Cross-site scripting

B.

Server-side request forgery

C.

SQL injection

D.

Log poisoning

E.

Cross-site request forgery

F.

Command injection

Full Access
Question # 103

A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive?

A.

Nmap -s 445 -Pn -T5 172.21.0.0/16

B.

Nmap -p 445 -n -T4 -open 172.21.0.0/16

C.

Nmap -sV --script=smb* 172.21.0.0/16

D.

Nmap -p 445 -max -sT 172. 21.0.0/16

Full Access
Question # 104

After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands:

Which of the following attacks is the penetration tester most likely trying to perform?

A.

Metadata service attack

B.

Container escape techniques

C.

Credential harvesting

D.

Resource exhaustion

Full Access
Question # 105

A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:

Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)

A.

Telnet

B.

HTTP

C.

SMTP

D.

DNS

E.

NTP

F.

SNMP

Full Access
Question # 106

A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?

A.

Netcraft

B.

CentralOps

C.

Responder

D.

FOCA

Full Access
Question # 107

A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?

A.

Launch an external scan of netblocks.

B.

Check WHOIS and netblock records for the company.

C.

Use DNS lookups and dig to determine the external hosts.

D.

Conduct a ping sweep of the company's netblocks.

Full Access
Question # 108

When accessing the URL http://192.168.0-1/validate/user.php, a penetration tester obtained the following output:

..d index: eid in /apache/www/validate/user.php line 12

..d index: uid in /apache/www/validate/user.php line 13

..d index: pw in /apache/www/validate/user.php line 14

..d index: acl in /apache/www/validate/user.php line 15

A.

Lack of code signing

B.

Incorrect command syntax

C.

Insufficient error handling

D.

Insecure data transmission

Full Access
Question # 109

Which of the following is the most secure method for sending the penetration test report to the client?

A.

Sending the penetration test report on an online storage system.

B.

Sending the penetration test report inside a password-protected ZIP file.

C.

Sending the penetration test report via webmail using an HTTPS connection.

D.

Encrypting the penetration test report with the client’s public key and sending it via email.

Full Access
Question # 110

When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because:

A.

security compliance regulations or laws may be violated.

B.

testing can make detecting actual APT more challenging.

C.

testing adds to the workload of defensive cyber- and threat-hunting teams.

D.

business and network operations may be impacted.

Full Access
Question # 111

Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data?

A.

An unknown-environment assessment

B.

A known-environment assessment

C.

A red-team assessment

D.

A compliance-based assessment

Full Access
Question # 112

A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose?

A.

Nmap

B.

Nikto

C.

Cain and Abel

D.

Ethercap

Full Access
Question # 113

A penetration tester gives the following command to a systems administrator to execute on one of the target servers:

rm -f /var/www/html/G679h32gYu.php

Which of the following BEST explains why the penetration tester wants this command executed?

A.

To trick the systems administrator into installing a rootkit

B.

To close down a reverse shell

C.

To remove a web shell after the penetration test

D.

To delete credentials the tester created

Full Access
Question # 114

Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

A.

OWASP ZAP

B.

Nmap

C.

Nessus

D.

BeEF

E.

Hydra

F.

Burp Suite

Full Access
Question # 115

A penetration tester has prepared the following phishing email for an upcoming penetration test:

Which of the following is the penetration tester using MOST to influence phishing targets to click on the link?

A.

Familiarity and likeness

B.

Authority and urgency

C.

Scarcity and fear

D.

Social proof and greed

Full Access
Question # 116

A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?

A.

Tailgating

B.

Dumpster diving

C.

Shoulder surfing

D.

Badge cloning

Full Access
Question # 117

During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT?

A.

Badge cloning

B.

Watering-hole attack

C.

Impersonation

D.

Spear phishing

Full Access
Question # 118

A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify?

A.

Weak authentication schemes

B.

Credentials stored in strings

C.

Buffer overflows

D.

Non-optimized resource management

Full Access